界: Encapsulation

封装即绘制强边界。在 Web 浏览器中,这可能意味着确保您的移动代码不会被其他移动代码滥用。在服务器上,这可能意味着区分已验证数据和未验证数据、区分一个用户的数据和另一个用户的数据,或者区分允许用户查看的数据和不允许用户查看的数据。

104 个项目已找到
弱点

Kubernetes Misconfiguration: Kubelet Anonymous Access

Abstract
Kubelet 配置中已启用匿名请求。
Explanation
存在允许 Kubelets 处理匿名请求的配置。任何配置的身份验证方法都不会拒绝匿名请求。由于 Kubelets 是管理工作程序计算机工作负载的 Kubernetes 主要代理,攻击者可以使用匿名请求来访问保护不充分和安全敏感的服务 API。

示例 1:以下配置文件允许 Kubelet 处理匿名请求,因为 anonymous 字段设置为 enabled:true

...
kind: KubeletConfiguration
...
authentication:
  anonymous:
    enabled: true
...
References
[1] Set Kubelet parameters via a config file The Kubernetes Authors
[2] Kubelet The Kubernetes Authors
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 284
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [18] CWE ID 522
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[15] Standards Mapping - FIPS200 AC
[16] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[19] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[20] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[21] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[23] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[39] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[40] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[41] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.yaml.kubernetes_misconfiguration_kubelet_anonymous_access

Mass Assignment: Sensitive Field Exposure

Abstract
一个敏感字段已向模型绑定器公开。
Explanation
现代框架可让开发人员将来自请求查询和正文的 HTTP 请求参数自动绑定至模型对象,以便于开发和提高生产率。如果绑定器未正确配置为控制将哪些 HTTP 请求参数绑定到哪些模型属性,攻击者可能会滥用模型绑定过程并设置不应向用户控件公开的任何其他属性。即使模型属性未出现在 Web 表单或 API 合约中,也可能会发生这种绑定。

例 1:以下 ASP.NET MVC 控制器方法 (Register) 从 Web 表单进行访问,该表单要求用户通过提供其姓名和密码注册帐户。


public ActionResult Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
        try
        {
            return RedirectToAction("Index", "Home");
        }
        catch (MembershipCreateUserException e)
        {
            ModelState.AddModelError("", "");
        }
    }
    return View(model);
}


其中,RegisterModel 类定义为:


public class RegisterModel
{
    [BindRequired]
    [Display(Name = "User name")]
    public string UserName { get; set; }

    [BindRequired]
    [DataType(DataType.Password)]
    [Display(Name = "Password")]
    public string Password { get; set; }

    [DataType(DataType.Password)]
    [Display(Name = "Confirm password")]
    public string ConfirmPassword { get; set; }

    public Details Details { get; set; }

    public RegisterModel()
    {
        Details = new Details();
    }
}
Details 类定义为:


public class Details
{
    public bool IsAdmin { get; set; }
    ...
}


设想Example 1 中的场景,攻击者可能会浏览应用程序并发现 RegisterModel 模型中存在 Details 属性。如果出现这种情况,攻击者可能会尝试覆盖分配给这些属性的当前值。
如果攻击者可以找到这些内部属性,并且框架绑定器未正确配置为禁止绑定这些属性,则攻击者可能会通过发送以下请求注册管理员帐户:


name=John&password=****&details.is_admin=true
References
[1] OWASP Mass assignment
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 915
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[19] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.structural.dotnet.mass_assignment_sensitive_field_exposure
Abstract
敏感字段向模型绑定器公开。
Explanation
现代框架允许开发人员自动将请求查询和正文中的 HTTP 请求参数绑定到模型对象,便于推进开发工作及提高工作效率。如果绑定器未正确配置为控制将哪些 HTTP 请求参数绑定到哪些模型属性,攻击者可能滥用模型绑定进程,设置不应暴露给用户控制的任何其他属性。即使 Web 表单或 API 约定中未显示模型属性,也可以建立此类绑定。

示例 1: 以下 Struts 1 DynaActionForm 动态定义绑定到用户请求的 ActionForm。在这种情况下,在实际应用中,通过提供帐户类型和用户详细信息来注册帐户:


<struts-config>
  <form-beans>
       <form-bean name="dynaUserForm"
          type="org.apache.struts.action.DynaActionForm" >
              <form-property name="type" type="java.lang.String" />
              <form-property name="user" type="com.acme.common.User" />
       </form-bean>
       ...



如果注册成功,用户数据将被永久保存到数据库中。User 类定义为:


public class User {
  private String name;
  private String lastname;
  private int age;
  private Details details;

  // Public Getters and Setters
  ...
}
Details 类定义为:


public class Details {
  private boolean is_admin;
  private int id;
  private Date login_date;

  // Public Getters and Setters
  ...
}


设想Example 1 中的场景,攻击者可能会浏览应用程序并发现 User 模型中存在 details 属性。如果出现这种情况,攻击者可能会尝试覆盖分配给这些属性的当前值。
如果攻击者可以查找这些内部属性,但是为禁止绑定这些属性,框架绑定器配置不正确,那么攻击者将能够通过发送以下请求来注册管理员帐户:


type=free&user.name=John&user.lastname=Smith&age=22&details.is_admin=true
References
[1] OWASP Mass assignment
[2] Spring Spring MVC Known Vulnerabilities and Issues
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark partial
[9] Standards Mapping - Common Weakness Enumeration CWE ID 915
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[20] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.config.java.mass_assignment_sensitive_field_exposure

Poor Logging Practice: Logger Not Declared Static Final

Abstract
声明记录器是固定且最终的。
Explanation
在某个特定类中的所有实例中,共享一个单一的记录器对象,并在程序的执行过程中使用同一个记录器,这是一个很好的编程习惯。

例 1:以下指令错误地声明了一个非固定日志记录器。


private final Logger logger =
            Logger.getLogger(MyClass.class);
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - FIPS200 AU
desc.structural.java.poor_logging_practice_logger_is_not_declared_static_final

Poor Logging Practice: Multiple Loggers

Abstract
使用多级别日志,而不是在单一的类中使用多个日志记录器。
Explanation
良好记录行为是指为每个类使用一个日志记录器。

例 1:以下代码错误地声明了 multiple loggers。


public class MyClass {
  private final static Logger good =
            Logger.getLogger(MyClass.class);
  private final static Logger bad =
            Logger.getLogger(MyClass.class);
  private final static Logger ugly =
            Logger.getLogger(MyClass.class);
  ...
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - FIPS200 AU
[7] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001130 CAT II
desc.structural.java.poor_logging_practice_multiple_loggers

Poor Logging Practice: Use of a System Output Stream

Abstract
使用 Console.OutConsole.Error 而不是专门的日志记录工具,会导致难以监控程序的运行状况。
Explanation
示例 1:开发人员学习编写的第一个 .NET 程序如下所示:


public class MyClass {
  ...
    Console.WriteLine("hello world");
  ...
}


当多数程序员深入了解 .NET 的许多精妙之处时,有一部分人仍会依赖于这一基础知识,始终使用 Console.WriteLine() 来编写消息以进行标准输出。

这里的问题是,直接在标准输出流或标准错误流中写入信息通常会作为一种非结构化日志记录形式使用。结构化日志记录系统提供了各种要素,如日志级别、统一的格式、日志标示符、次数统计,而且,可能最重要的是,将日志信息指向正确位置的功能。当系统输出流的使用与正确使用日志记录功能的代码混合在一起时,得出的结果往往是一个保存良好但缺少重要信息的日志。

开发者普遍认为需要使用结构化日志记录,但是很多人在“产前”的软件开发中仍使用系统输出流功能。如果您正在检阅的代码是在初始开发阶段之后生成的,那么 Console.WriteLine 的使用可能会在转向结构化日志记录系统的过程中导致一个漏洞。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - FIPS200 AU
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 10.3.1
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.structural.dotnet.poor_logging_practice_use_of_a_system_output_stream
Abstract
使用 os.Stdoutos.Stderr 而不是专门的日志记录工具,会导致难以监控程序的运行状况。
Explanation
示例 1:通常,开发人员学习编写的第一个 Go 程序如下所示:


...

func foo(){
    fmt.Println("Hello World")
}


多数开发人员深入了解 Go 的许多精妙之处后,一部分人员始终使用 fmt.Println() 编写进行标准输出的消息。

问题在于,直接在标准输出流或标准错误流中写入信息通常会作为一种非结构化日志记录形式使用。结构化日志记录系统提供了各种要素,如日志级别、统一的格式、日志标识符、时间戳,以及将日志信息指向正确位置的功能。当系统输出流的使用与正确使用日志记录功能代码混合在一起时,得出的结果往往是一个保存良好但缺少重要信息的日志。

开发者普遍接受结构化日志记录,但许多人在“产前”的软件开发中仍使用系统输出流功能。如果您正在检查的代码是在初始开发阶段之后生成的,那么使用 os.Stdoutos.Stderr 进行日志记录使用可能会在转向结构化日志记录系统的过程中导致漏洞。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - FIPS200 AU
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 10.3.1
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.semantic.golang.poor_logging_practice_use_of_a_system_output_stream
Abstract
使用 System.outSystem.err 而不是专门的日志记录工具,会导致难以监控程序的运行状况。
Explanation
示例 1:开发人员学习编写的第一个 Java 程序如下所示:


public class MyClass
  ...
    System.out.println("hello world");
  ...
}


多数程序员深入了解 Java 的许多精妙之处后,有一部分人仍会依赖于这一基础知识,始终使用 System.out.println() 编写进行标准输出的消息。

这里的问题是,直接在标准输出流或标准错误流中写入信息通常会作为一种非结构化日志记录形式使用。结构化日志记录系统提供了各种要素,如日志级别、统一的格式、日志标示符、次数统计,而且,可能最重要的是,将日志信息指向正确位置的功能。当系统输出流的使用与正确使用日志记录功能的代码混合在一起时,得出的结果往往是一个保存良好但缺少重要信息的日志。

开发者普遍认为需要使用结构化日志记录,但是很多人在“产前”的软件开发中仍使用系统输出流功能。如果您正在检查的代码是在开发阶段的初期生成的,那么对 System.outSystem.err 的使用可能会在转向结构化日志记录系统的过程中导致漏洞。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - FIPS200 AU
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 10.3.1
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.structural.java.poor_logging_practice_use_of_a_system_output_stream
Abstract
使用 process.stdoutprocess.stderr 而不是专门的日志记录工具,会导致难以监控程序的运行状况。
Explanation
示例 1:早期的 Node.js 开发人员编写的简单程序可从 stdin 读取并将其再次写回 stdout,可能如下所示:


process.stdin.on('readable', function(){
    var s = process.stdin.read();
    if (s != null){
      process.stdout.write(s);
    }
});


虽然大多数程序员继续学习,尤其是关于 JavaScript 和 Node.js 的细微之处,但很多程序员仍依赖于这一基础知识,始终使用 process.stdout.write() 编写标准输出的消息。

这里的问题是,直接在标准输出流或标准错误流中写入信息通常会作为一种非结构化日志记录形式使用。结构化日志记录系统提供了各种要素,如日志级别、统一的格式、日志标示符、次数统计,而且,可能最重要的是,将日志信息指向正确位置的功能。当系统输出流的使用与正确使用日志记录功能的代码混合在一起时,得出的结果往往是一个保存良好但缺少重要信息的日志。

开发者普遍认为需要使用结构化日志记录,但是很多人在“产前”的软件开发中仍使用系统输出流功能。如果您正在检查的代码是在开发阶段的初期生成的,那么对 process.stdoutprocess.stderr 的使用可能会在转向结构化日志记录系统的过程中导致漏洞。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - FIPS200 AU
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 10.3.1
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.structural.javascript.poor_logging_practice_use_of_a_system_output_stream
Abstract
使用 printprintln 而不是专门的日志记录工具,会导致难以监控程序的运行状况。
Explanation
示例 1:开发人员学习编写的第一个 Kotlin 程序如下所示:


class MyClass {
    ...
            println("hello world")
    ...
    }
}


多数程序员深入了解 Kotlin 的许多精妙之处后,有一部分人仍会依赖于这一基础知识,始终使用 printprintln 编写进行标准输出的消息。

问题在于,直接在标准输出流或标准错误流中写入信息通常会作为一种非结构化日志记录形式使用。结构化日志记录系统提供了各种要素,如日志级别、统一的格式、日志标识符、时间戳,以及可能最重要的将日志信息指向正确位置的功能。当系统输出流的使用与正确使用日志记录功能的代码混合在一起时,得出的结果往往是一个保存良好但缺少重要信息的日志。

开发者普遍认为需要使用结构化日志记录,但是很多人在“产前”的软件开发中仍使用系统输出流功能。如果您正在检查的代码是在初始开发阶段之后生成的,那么使用标准输出或错误流可能会在转向结构化日志记录系统的过程中导致一个漏洞。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - FIPS200 AU
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 10.3.1
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.structural.kotlin.poor_logging_practice_use_of_a_system_output_stream
Abstract
使用标准输出或标准错误而不是专门的日志记录工具,会导致难以监控程序运行状况。
Explanation
示例 1:开发人员学习编写的第一个 Python 程序通常如下所示:


sys.stdout.write("hello world")


多数程序员深入了解 Python 的许多精妙之处后,有一部分人仍会依赖于这一基础知识,始终编写进行标准输出的消息。

这里的问题是,直接在标准输出流或标准错误流中写入信息通常会作为一种非结构化日志记录形式使用。结构化日志记录系统提供了各种要素,如日志级别、统一的格式、日志标示符、次数统计,而且,可能最重要的是,将日志信息指向正确位置的功能。当系统输出流的使用与正确使用日志记录功能的代码混合在一起时,得出的结果往往是一个保存良好但缺少重要信息的日志。

开发者普遍认为需要使用结构化日志记录,但是很多人在“产前”的软件开发中仍使用系统输出流功能。如果您正在检查的代码是在开发阶段的初期生成的,那么对 sys.stdoutsys.stderr 的使用可能会在转向结构化日志记录系统的过程中导致漏洞。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - FIPS200 AU
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 10.3.1
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.structural.python.poor_logging_practice_use_of_a_system_output_stream
Abstract
使用 Kernel.putsKernel.warnKernel.printf 而不是专门的日志记录工具,会导致难以监控程序的行为。
Explanation
例 1:开发人员学习编写的第一个 Ruby 程序通常将包括如下功能:


...
puts "hello world"
...


多数程序员深入了解 Ruby 的许多精妙之处后,有一部分人仍会依赖于这一基础知识,始终使用 Kernel.puts 编写进行标准输出的消息。

这里的问题是,直接在标准输出流或标准错误流中写入信息通常会作为一种非结构化日志记录形式使用。结构化日志记录系统提供了各种要素,如日志级别、统一的格式、日志标示符、次数统计,而且,可能最重要的是,将日志信息指向正确位置的功能。当系统输出流的使用与正确使用日志记录功能的代码混合在一起时,得出的结果往往是一个保存良好但缺少重要信息的日志。

开发者普遍认为需要使用结构化日志记录,但是很多人在“产前”的软件开发中仍使用系统输出流功能。如果您正在检查的代码是在初始开发阶段之后生成的,那么对 Kernel.putsKernel.warnKernel.printf 的使用可能表示转向结构化日志记录系统过程中的一时疏忽。
如果公司策略规定不能使用这些 API,则仍然可以通过使用日志系统将信息打印到系统输出流来绕过此策略。

例 2:下面的代码使用了 Logger 类,但是将信息记录到系统输出流:


require 'logger'
...
logger = Logger.new($stdout)
logger.info("hello world")
...
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - FIPS200 AU
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 10.3.1
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.structural.ruby.poor_logging_practice_use_of_a_system_output_stream

Poor Style: Non-final Public Static Field

Abstract
外部类可更改非最终公共静态字段。
Explanation
通常情况下,您不会希望为外部类提供对象成员字段的直接访问路径,因为任意外部类都可以更改公共字段。面向对象的良好设计使用 Encapsulation 来防止将实现详细信息(例如成员字段)暴露给其他类。此外,如果系统假定此字段不可更改,则恶意代码可能能够逆向更改系统的行为。

示例 1:在以下代码中,字段 ERROR_CODE 已声明为公共、静态和非最终:


public class MyClass
{
public static int ERROR_CODE = 100;
//...
}


在这种情况下,恶意代码可能能够更改此错误代码并导致程序出现意外行为。
References
[1] Sun Microsystems, Inc. Secure Coding Guidelines for the Java Programming Language, version 2.0
[2] OBJ10-J. Do not use public static nonfinal fields CERT
[3] MUTABLE-9: Make public static fields final Oracle
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - Common Weakness Enumeration CWE ID 493
desc.structural.java.poor_style_non-final_public_static_field

Python Bad Practices: Leftover Debug Code

Abstract
调试代码可以在部署的 Web 应用程序中建立一些意想不到的入口点。
Explanation
在实践中,人们往往为了达到调试和测试代码的目的而输出某些变量的值,同时附带的还有一些本不应提供或保留在正式部署的应用系统中的代码。当这种类型的调试代码意外地留在应用程序中,应用程序可能会在无意间将其泄漏给攻击者。但并不是所有的调试指令都会泄漏敏感或私密信息。然而,调试语句的出现通常意味着附近的代码已被忽略,而且可能处在一种不受维护的状态。

References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 489
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.semantic.python.python_bad_practices_leftover_debug_code